Earlier today, I noticed a bunch of weird requests to one of my Rails apps. I’m not sure what their intention was but I didn’t want to take the chance since the IP traced back to somewhere in China which meant if something went bad, I’d have little recourse.
So I decided to block their IP. Doing this is pretty easy using iptables on Ubuntu. I just entered this in my terminal after logging in via ssh:
iptables -I INPUT -s 59.56.108.202 -j DROP
I’m not sure if this is the best defense but it’s what was suggested by the support rep at Mosso. And yes, that is the IP I blocked. It was creating requests that looked like this in the access.log:
sitespress.com:80 59.56.108.202 - - [27/May/2009:17:32:25 +0000] "GET http://116.0.22.245/prxjdg.cgi?en HTTP/1.0" 404 947 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.0.3705)"
{ 1 comment… read it below or add one }
iptables is the userland tool. Linux's kernel-level “firewall” is called Netfilter.
http://www.netfilter.org/